claude-code-restored-runtime
Fail
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs users to clone and install code from a third-party GitHub repository (
https://github.com/oboard/claude-code-rev.git) that is not associated with the official project or the author's verified infrastructure. - [REMOTE_CODE_EXECUTION]: The provided installation instructions involve executing the downloaded third-party code via
bun installandbun run dev. Since the code is described as being reconstructed from source maps with shims and degraded implementations, there is a high risk of malicious logic being present. - [COMMAND_EXECUTION]: The skill facilitates the setup of an AI agent runtime (Claude Code) which is designed to have broad permissions to execute shell commands and modify the local filesystem. Providing these capabilities to an unverified codebase is a severe security risk.
- [DATA_EXFILTRATION]: The runtime configuration requires users to provide sensitive environment variables such as
GITHUB_TOKENorGH_TOKEN. This creates a direct risk of credential theft if the unverified source code contains exfiltration logic. - [PROMPT_INJECTION]: The skill sets up an agentic environment with a large attack surface for indirect prompt injection.
- Ingestion points: Untrusted data enters the context via local project files, MCP tool results, and GitHub API responses.
- Boundary markers: No delimiters or instructions to ignore embedded commands are specified in the setup.
- Capability inventory: The agent has full shell access and filesystem read/write capabilities (referenced in the Claude Code runtime description).
- Sanitization: There is no evidence of sanitization or validation of external content processed by the third-party runtime.
Recommendations
- AI detected serious security threats
Audit Metadata